|
Home > Archive > WebSphere Application Server > March 2004 > Problem to start the server after enabling global security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Problem to start the server after enabling global security
|
|
| Ronaldo Queiroz 2004-02-18, 8:33 am |
| Hi,
I have 3 machines: 1 running the deployment manager and the 2 others running
1 was5 app server on each.
The 2 was5 machines are part of the same cell.
The operating system is Linux RH8 and all of the 3 machines are running
version 5.0.2.3
That's the scenario:
After enabling the global security I'm not able to start and stop servers
from the admin console.
I started the deployment manager using the command:
../startManager.sh -username user -password pw.
I started the 2 node agents using the command: ./startNode.sh -username
user -password pw.
If I try to start the servers from the admin console I get the error below.
If I start them from the command line passing user and password they start
with no problem.
I have already tried to sync them, using the command ./syncNode
dmhost -username user -password pw. I got a message showing the
synchronization was successfully done.
Does anybody know what could be the problem ?
Thanks a lot,
Ronaldo Queiroz.
[2/18/04 18:07:52:588 BRT] 1ad87670 RoleBasedAuth A SECJ0305I: Role based
authorization check failed for security name <null>, accessId
NO_CRED_NO_ACCESS_ID while invoking method getRepositoryEpoch on resource
ConfigRepository and module ConfigRepository.
[2/18/04 18:07:53:309 BRT] 1adb7670 LTPAServerObj E SECJ0375E: Mismatch of
realms during token validation.
[2/18/04 18:07:53:313 BRT] 1adb7670 LTPAServerObj E SECJ0373E: Cannot create
credential for the user <null> during the Validation of the token. The
exception is com.ibm.websphere.security.CustomRegistryException: The realm
in the token: labsrv6.lab.brq.com does not match the current realm:
labsrv7.lab.brq.com
| |
| Bo Nilsson 2004-02-19, 2:33 am |
| Ronaldo,
I guess you are useing LocalOS as registry ?
LocalOS is not supported in a multi-node environment even if that is not
very clear stated in the doc's. See url (paste it together)
http://www-1.ibm.com/support/docvie...EQTP&q1=localos
&uid=swg21139779&loc=en_US&cs=utf-8&lang=en+en
Regards
Bo Nilsson
Software Group
IBM Sweden
Ronaldo Queiroz wrote:
> Hi,
>
> I have 3 machines: 1 running the deployment manager and the 2 others running
> 1 was5 app server on each.
> The 2 was5 machines are part of the same cell.
> The operating system is Linux RH8 and all of the 3 machines are running
> version 5.0.2.3
>
> That's the scenario:
> After enabling the global security I'm not able to start and stop servers
> from the admin console.
> I started the deployment manager using the command:
> ./startManager.sh -username user -password pw.
> I started the 2 node agents using the command: ./startNode.sh -username
> user -password pw.
>
> If I try to start the servers from the admin console I get the error below.
> If I start them from the command line passing user and password they start
> with no problem.
>
> I have already tried to sync them, using the command ./syncNode
> dmhost -username user -password pw. I got a message showing the
> synchronization was successfully done.
>
> Does anybody know what could be the problem ?
>
> Thanks a lot,
>
> Ronaldo Queiroz.
>
> [2/18/04 18:07:52:588 BRT] 1ad87670 RoleBasedAuth A SECJ0305I: Role based
> authorization check failed for security name <null>, accessId
> NO_CRED_NO_ACCESS_ID while invoking method getRepositoryEpoch on resource
> ConfigRepository and module ConfigRepository.
> [2/18/04 18:07:53:309 BRT] 1adb7670 LTPAServerObj E SECJ0375E: Mismatch of
> realms during token validation.
> [2/18/04 18:07:53:313 BRT] 1adb7670 LTPAServerObj E SECJ0373E: Cannot create
> credential for the user <null> during the Validation of the token. The
> exception is com.ibm.websphere.security.CustomRegistryException: The realm
> in the token: labsrv6.lab.brq.com does not match the current realm:
> labsrv7.lab.brq.com
>
>
| |
| CheKim Chhuor 2004-02-24, 8:34 am |
| Ronaldo,
You can try to update the <WAS_HOME>/properties/soap.client.props file with:
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=yourID
com.ibm.SOAP.loginPassword=yourPW
I remember getting it to work before. But you'll have to encode the password
in soap.client.props using PropFilePasswordEncoder otherwise password will
stay in clear text.
CheKim Chhuor
IBM Poughkeepsie
"Bo Nilsson" <bo.nilsson@se.ibm.com> wrote in message
news:c12lk6$42n2$1@news.boulder.ibm.com...
> Ronaldo,
> I guess you are useing LocalOS as registry ?
> LocalOS is not supported in a multi-node environment even if that is not
> very clear stated in the doc's. See url (paste it together)
> http://www-1.ibm.com/support/docvie...EQTP&q1=localos
> &uid=swg21139779&loc=en_US&cs=utf-8&lang=en+en
>
> Regards
> Bo Nilsson
> Software Group
> IBM Sweden
>
> Ronaldo Queiroz wrote:
running[color=blue]
servers[color=blue]
below.[color=blue]
start[color=blue]
based[color=blue]
resource[color=blue]
of[color=blue]
create[color=blue]
realm[color=blue]
>
| |
| Jonathan Kwok 2004-03-02, 4:33 am |
| I got the same problem.
Even I setup the soap.client.props as described.
BTW, should / should not use Local OS User registry ?
Many many thanks !
"CheKim Chhuor" <chhuor@us.ibm.com> wrote in message news:<c1gfh6$66gm$1@news.boulder.ibm.com>...[color=darkred]
> Ronaldo,
>
> You can try to update the <WAS_HOME>/properties/soap.client.props file with:
> com.ibm.SOAP.securityEnabled=true
> com.ibm.SOAP.loginUserid=yourID
> com.ibm.SOAP.loginPassword=yourPW
>
> I remember getting it to work before. But you'll have to encode the password
> in soap.client.props using PropFilePasswordEncoder otherwise password will
> stay in clear text.
>
> CheKim Chhuor
> IBM Poughkeepsie
>
>
>
> "Bo Nilsson" <bo.nilsson@se.ibm.com> wrote in message
> news:c12lk6$42n2$1@news.boulder.ibm.com...
> running
> servers
> below.
> start
> based
> resource
> of
> create
> realm
| |
| Stefan T 2004-03-02, 9:33 am |
| I seem to remember to change the following file (if you use Network
Deployment the might exist in both app server and nd installation
directories)
$WAS_HOME/properties/sas.client.props
Change the value of the following property from "prompt" to "properties":
com.ibm.CORBA.loginSource=properties
$WAS_HOME/properties/soap.client.props
set the following properties:
com.ibm.SOAP.loginUserid=userid
com.ibm.SOAP.loginPassword=password
A good deal of this is described in the Redbook SG 24-6573 "WebSphere v5
Security" in appendix D and chapter 10.
Cheers
Stefan
"Jonathan Kwok" <jonathan_kwok_kw@hotmail.com> wrote in message
news:d8dcb234.0403020031.2db95b1@posting.google.com...
> I got the same problem.
> Even I setup the soap.client.props as described.
> BTW, should / should not use Local OS User registry ?
>
> Many many thanks !
>
>
> "CheKim Chhuor" <chhuor@us.ibm.com> wrote in message
news:<c1gfh6$66gm$1@news.boulder.ibm.com>...[color=darkred]
with:[color=darkred]
password[color=darkred]
will[color=darkred]
not[color=darkred]
http://www-1.ibm.com/support/docvie...EQTP&q1=localos[color=darkred]
running[color=darkred]
../startNode.sh -username[color=darkred]
Mismatch[color=darkred]
Cannot[color=darkred]
The[color=darkred]
| |
| Niclas 2004-03-31, 2:02 pm |
| Hi Bo, I have the same setup as Ronaldo, 2 Base and 1 Deployment Manager of version 5.1.
If i want to enable Global Security then I have to options according the infocenter ;
1. <i>Use a LDAP registry</i>
2. <i>Use a custom registry.</i>
<i>Option 1</i> is not really an option for us, we only have access to a Novell eDirectory 8.1.7 and that directory isnīt supported or what?
<i>Option 2</i>, Is it not t the best way to implement the registry in a database that are accesible from every component in the setup, further this approach are as well best suited for performance and scalability, or what?
In the infocenter, IBM doesnīt recomend to implement option 2 that relies on any component that are available in WAS in e.g datasources. Do you have any good approach how to do this, normal JDBC connectivty doesnt performt that well, or?
Any suggestions or idea's
Best regards
Niclas (Sweden) | |
| Paul Ilechko 2004-03-31, 3:37 pm |
| Niclas wrote:
> Hi Bo, I have the same setup as Ronaldo, 2 Base and 1 Deployment Manager
> of version 5.1.
> If i want to enable Global Security then I have to options according
> the infocenter ;
>
> 1. <i>Use a LDAP registry</i>
> 2. <i>Use a custom registry.</i>
>
> <i>Option 1</i> is not really an option for us, we only have access to
> a Novell eDirectory 8.1.7 and that directory isnīt supported or what?
You might want to try it and see if it works - in general WAS will work
with any LDAP, even if not explicitly supported (which really just means
that IBM has tested with it)
>
> <i>Option 2</i>, Is it not t the best way to implement the registry in
> a database that are accesible from every component in the setup,
> further this approach are as well best suited for performance and
> scalability, or what?
Building a custom registry is complicated, don't underestimate that. You
have to understand that security initialization happens before the
appserver is fully up and running, so not all components are available.
Also the Node Agent and Deployment Manager need access to the CUR, and
at least the Node doesn't have a J2EE infrastructure.
> In the infocenter, IBM doesnīt recomend to implement option 2 that
> relies on any component that are available in WAS in e.g datasources.
> Do you have any good approach how to do this, normal JDBC connectivty
> doesnt performt that well, or?
Is not that it isn't recommended, it's that it won't work. You wil
either have to roll your own connection pooling or use whatever your
jdbc driver provides.
|
|
|
|
|